Sunday, June 4, 2017

Same origin policy for accessing DOM A webpage inside an iframe/frame is not allowed to modify or access the DOM of its parent or top page and vice-versa if both pages don’t belong to same origin. There are three ways of bypassing this restriction window.document.domain variable manipulation Proxy Cross Document Messaging

A frame or child page can bypass this restriction by setting window.document.domainvariable to the same domain name as the parent’s domain name.
Note that window.document.domain value can only be changed to parent’s domain name if the child page’s original domain is a sub domain of parent’s page or parent’s domain name is a sub domain of child’s domain name. For example parent page has domain name “www.example.com” and child page has domain name “www.blog.example.com” then child page can change its domain name to “www.example.com” but not “www.myexample.com”.
Let’s see an example of this
http://www.qnimate.com/parent.html
<iframe src="http://www.blog.qnimate.com/child.html" id="myIFrame"></iframe>
<script>
window.document.domain = "www.qnimate.com";//you also need to set the parent's document.domain variable
window.document.getElementById("myIFrame").contentWindow.document.body.style.backgroundColor = "red";//this access is allowed by default
</script>
http://www.blog.qnimate.com/child.html
<script>
window.document.domain = "www.qnimate.com"; //if we remove this line then the below line will not work and throw a same origin policy exception.
window.parent.document.body.style.backgroundColor = "blue";
</script>
You can also create a proxy script which will serve the content of iFrame from different domain.
Let’s see an example of this
http://www.qnimate.com/parent.html
<iframe src="http://www.qnimate.com/child.php" id="myIFrame"></iframe>
<script>
window.document.getElementById("myIFrame").contentWindow.document.body.style.backgroundColor = "red";//this access is allowed by default
</script>
http://www.qnimate.com/child.php

    echo file_get_contents('http://www.blog.qnimate.com/child.html');
?>
http:://www.blog.qnimate.com/child.html
<script>
window.document.domain = "www.qnimate.com"; //if we remove this line then the below line will not work and throw a same origin policy exception.
window.parent.document.body.style.backgroundColor = "blue";
</script>
Parent and Child page can also access each other’s DOM by sending messages to each other using Cross Document Messaging API.
Let’s see an example of this
http://www.qnimate.com/parent.html
<iframe src="http://www.blog.qnimate.com/child.html" id="myIFrame"></iframe>
<script>
var eventMethod = window.addEventListener ? "addEventListener" :"attachEvent";
var eventer = window[eventMethod];
var messageEvent = eventMethod == "attachEvent" ? "onmessage" :"message";

// Listen to message from child window
eventer(messageEvent,function(e) {
    if(e.data == "changebgofparent")
    {
        document.body.style.backgroundColor = "blue";
    }
},false);

window.document.getElementById("myIFrame").contentWindow.postMessage("changebgofchild","*");
/*postMessage second parameter represents the domain name to which this message can be sent to, if the child domain name doesn't match then this message will not be sent. Here * means any domain */ 
</script>
http://www.blog.qnimate.com/child.html
<script>
var eventMethod = window.addEventListener ? "addEventListener" :"attachEvent";
var eventer = window[eventMethod];
var messageEvent = eventMethod == "attachEvent" ? "onmessage" :"message";

// Listen to message from child window
eventer(messageEvent,function(e) {
    if(e.data == "changebgofchild")
    {
        document.body.style.backgroundColor = "red";
    }
},false);

window.parent.postMessage("changebgofparent","*");
/*postMessage second parameter represents the domain name to which this message can be sent to, if the child domain name doesn't match then this message will not be sent. Here * means any domain */ 
</script>

Same Origin Policy for AJAX

A webpage cannot make a AJAX Request to an another page if they both don’t belong to the same origin policy.
There are basically three ways of bypassing this restriction
  • Proxy server
  • JSONP
  • Cross-Origin Resource Sharing
To bypass this policy we can use a proxy script to get the contents of a remote file that doesn’t belong to the same origin.
Let’s see an example of this
http://www.qnimate.com/index.html
<script>
function loadXMLDoc()
{
var xmlhttp;
if (window.XMLHttpRequest)
  {
  xmlhttp=new XMLHttpRequest();
  }
else
  {
  xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
  }
xmlhttp.onreadystatechange=function()
  {
  if (xmlhttp.readyState==4 && xmlhttp.status==200)
    {
    document.getElementById("myDiv").innerHTML=xmlhttp.responseText;
    }
}
xmlhttp.open("GET","http://www.qnimate.com/ajaxdata.php",true);
xmlhttp.send();
}
</script>
</head>
<body>

<button type="button" onclick="loadXMLDoc()">Request data</button>
<div id="myDiv"></div>
http://www.qnimate.com/ajaxdata.php

   echo file_get_contents('http://www.qscutter.com/ajaxdata.txt');
?>
Although a XMLHTTPRequest object cannot make a cross origin request, but a 

Saturday, June 3, 2017

when i started searching for OpenDns i started by reverse engeniering...that's the wrong approach...if your a MIM you need a to access the VPN by a frame on the docker..and so it is what's the post is about

if you want to access the Docker API from the containers, you can setup Docker to listen on the IP address of the Docker bridge.
To do that, you would:
  • create a bridge
    ip link add docker0 type bridge
  • assign an IP address to it
    ip link set docker0 up
    ip addr add 172.17.0.1/16 dev docker0
  • start docker and bind the API to the bridge
    docker -d -H 172.17.0.1:4242
Now you can access the Docker API from your containers.

stdio.h Source File - if you include this header on the shell...you might hack it on 61 seconds

stdio.h


to fit things in six character monocase externals, the
00022  * stdio code uses the prefix `__s' for stdio objects, typically
00023  * followed by a three-character attempt at a mnemonic.
00024  */
00025 
00026 #ifndef _STDIO_H_
00027 #ifdef __cplusplus

https://www.gnu.org/software/m68hc11/examples/stdio_8h-source.html


The ERESI Reverse Engineering Software Interface http://www.eresi-project.org

Hello dear ELFsh & E2dbg user, 

Try to read this README, its a precious information ressource for the ELF shell project . 

For impatient people, this is a short list of provided features : 

 . Analysis on nearly all types of sections
 . Cool disasm/resolving engine with libelfsh and libasm
 . Raw read/write capability into ELF32 AND ELF64
 objects
 . Modify ELF header, PHT, SHT, GOT, CTORS, DTORS, .dynamic, PAX bits
 . Modify symbol table, dynamic symbol table and relocation tables
 . Remove or reconstruct SHT
 . Real interactive and scripting modes
 . Many kind of section injection [even working in non-exec environments]
 . Control flow graphs with graphviz output (i386) : see modflow
 . ELFsh Module support and ELFsh internal API
 . Quiet output for tiny screens and shellcript friendship
 . Experimental ET_EXEC relocation and remapping feature (INTEL)
 . Full ET_REL injection into ET_EXEC (INTEL / SPARC / ALPHA)
 . PLT infection (INTEL, SPARC, ALPHA, MIPS)
 . ALTPLT technique (INTEL, SPARC, ALPHA)

https://github.com/thorkill/eresi

Hook function calls by replacing PLT(Procedure Linkage Table) entries.

What is plthook.

A utility library to hook library function calls issued by specified object files (executable and libraries). This modifies PLT (Procedure Linkage Table) entries in ELF format used on most Unixes or IAT (Import Address Table) entries in PE format used on Windows.

DynamoRIO Overview DynamoRIO is a runtime code manipulation system that supports code transformations on any part of a program, while it executes. DynamoRIO exports an interface for building dynamic tools for a wide variety of uses: program analysis and understanding, profiling, instrumentation, optimization, translation, etc. Unlike many dynamic tool systems, DynamoRIO is not limited to insertion of callouts/trampolines and allows arbitrary modifications to application instructions via a powerful IA-32/AMD64/ARM/AArch64 instruction manipulation library. DynamoRIO provides efficient, transparent, and comprehensive manipulation of unmodified applications running on stock operating systems (Windows, Linux, or Android) and commodity IA-32, AMD64, ARM, and AArch64 hardware.

Existing DynamoRIO-based tools

Tools built on DynamoRIO and available in the release package include:

THE VAULT : The #! magic, details about the shebang/hash-bang mechanism on various Unix flavours

  • Fancy code

    • 2.8BSD implemented the test for the #! magic with a multi character constant
       #define SCRMAG '#!'
    • Demos (originally based on 2.9 BSD) inherited SCRMAG, and even added its own multi character constant for a variant of the magic:
       # define SCRMAG2 '/*#!'
       # define ARGPLACE "$*"
      Find more information in the end notes [Demos].
    • BSD/OS (2.0, sys/i386/i386/exec_machdep.c) shows a readable way to construct the magic
       [...]
       switch (magic) {
       /* interpreters (note byte order dependency) */
       case '#' | '!' << 8:
        handler = exec_interpreter;
        break;
       case [...]
  • POSIX.2 or SUSv2 / SUSv3 / SUSv4 mention #! only as a possible extension:
        Shell Introduction
        [...]
        If the first line of a file of shell commands starts with the
        characters #!, the results are unspecified.
    
        The construct #! is reserved for implementations wishing to provide
        that extension. A portable application cannot use #! as the first
        line of a shell script; it might not be interpreted as a comment.
        [...]
    
        Command Search and Execution
        [...]
        This description requires that the shell can execute shell
        scripts directly, even if the underlying system does not support
        the common #! interpreter convention. That is, if file foo contains
        shell commands and is executable, the following will execute foo:
    
          ./foo 
    There was a Working Group Resolution trying to define the mechanism.
    On the other hand, speaking about "#!/bin/sh" on any Unix:
     This is a really rocksolid and portable convention by tradition, if you expect anything from the Bourne shell family and its descendants to be called.

  • what's special about #!#! was a great hack to make scripts look and feel like real executable binaries.
    But, as a little summary, what's special about #!? (list mostly courtesy of David Korn)

    • the interpretername must not contain blanks
    • the length of the #! is much smaller than the maximum path length
    • $PATH is not searched for the interpreter
       (apart from an absolute path, the #! line also accepts a relative path,
       and #!interpreter is equivalent to #!./interpreter,
      however, it's not of any practical use)
    • the interpreter usually must no be a #! script again
    • the handling of arguments in the #! line itself is varying
    • the setuid mechanism may or may not be available for the script
    • there's no way to express #!$SHELL
  • Possible errors:
    • If the interpreter is not found, the system returns ENOENT.This error can be misleading, because many shells then print the script name instead of the interpreter in its #! line:
       $cat script.sh
       #!/bin/notexistent
       $ ./script.sh
       ./script.sh: not found 
      bash since release 3 subsequently itself reads the first line and gives a diagnostic concerning the interpreter
       bash: ./script.sh: /bin/notexistent: bad interpreter: No such file or directory
    • If the #! line is too long, at least three things can happen:
      • The line is truncated, usually to the maximum length allowed.
      • The system returns E2BIG (IRIX, SCO OpenServer) or ENAMETOOLONG (FreeBSD, BIG-IP4.2, BSD/OS4.1)
        and you get something like "Arg list too long" / "Arg list or environment too large" or "File name too long", respectively.
      • The kernel refuses to execute the file and returns ENOEXEC. In some shells this results in a silent failure.
        Other shells subsequently try to interprete the script itself.

that's what the NSA - National Security Agency calls the Vault ..because they can hack all Solaris Oracle mirrors...It might be possible a very old 1992 technique, but upgraded now, which begins by making a symlink to set-UID script, that now solaris shell does not aloud kernel t open the interpreter (...on my humble knowledge, double checking the executable) however....

#! hacks

Scripts are executed as #!interpreter [arg] and most often as #!/usr/bin/env interpreter. Additional arguments cannot be used. This repo catalogs single file workarounds mostly for fun but also slightly serious.

Script Guidelines

  • Must be self-contained as a single file executable
  • Must support any number of interpreter arguments inline
  • Must use #!/usr/bin/env interpreter
  • Must echo the first argument with zero exit status
  • Must exit with nonzero status when no argument
  • Must work as any filename but should be named after the target program
  • Should be a paradigm (terse, clear, extensible)

License (Public Domain)

All code is public domain and may be used without limitation.